The researchers successfully defeated four popular disk encryption products: BitLocker, which comes with Windows Vista; FileVault, which comes with MacOS X; and dm-crypt, which is used with Linux and even the Open Source program TrueCrypt versions 4.3a and 5.0a running on a Linux system.

At the heart of their attack success is the fact that DRAM chips still tend to retain data when a system is shut down for a brief window of time. If the chips are cooled and/or forensically inspected within the window, methods for recovery of the encryption keys may be applied and the drive unencrypted with the information.

(Literally) cool stuff.

Yes, it is does require a focused attack method as the system must already be up and running (say in a locked "hibernation/sleep" mode or grabbed and immediately applied right after a full system shutdown.

I do find it interesting in light of corporations (and some private users) turning to drive-encryption solutions to deal with data-loss from laptops and other storage devices.

Our research shows that data in DRAM actually fades out gradually over a period of seconds to minutes, enabling an attacker to read the full contents of memory by cutting power and then rebooting into a malicious operating system.

Interestingly, if you cool the DRAM chips, for example by spraying inverted cans of "canned air" dusting spray on them, the chips will retain their contents for much longer. At these temperatures (around -50 °C) you can remove the chips from the computer and let them sit on the table for ten minutes or more, without appreciable loss of data. Cool the chips in liquid nitrogen (-196 °C) and they hold their state for hours at least, without any power. Just put the chips back into a machine and you can read out their contents.

This is deadly for disk encryption products because they rely on keeping master decryption keys in DRAM. This was thought to be safe because the operating system would keep any malicious programs from accessing the keys in memory, and there was no way to get rid of the operating system without cutting power to the machine, which "everybody knew" would cause the keys to be erased.

Our results show that an attacker can cut power to the computer, then power it back up and boot a malicious operating system (from, say, a thumb drive) that copies the contents of memory. Having done that, the attacker can search through the captured memory contents, find any crypto keys that might be there, and use them to start decrypting hard disk contents.

As they point out, disk encryption is but one (though important) layer in the process of securing data on a portable (or non-portable) device.

Now incident responders need to add a few more questions during their pre/post loss assessment. Modifying slightly the list that ISC Handler Swa Frantzen provided:

Was the sensitive data on the laptop/device encrypted? If no, why not?

Why was that data sensitive?

Are there no better ways to do what that data does?

Why was sensitive data stored on a portable device?

Where was the absolute need to have the sensitive data?

Why was the sensitive data mixed in with less sensitive data?

Why was sensitive data allowed out of the organization that collected it?

Why was a laptop containing sensitive data left unattended?

How long ago was the laptop turned off ?

Was the laptop turned off, or just asleep?

What encryption product was used and does it wipe its keys from RAM upon shutdown or sleep actions?

While it gives the "bad-guys" some new techniques, it also gives forensics investigators the same techniques to consider and use during a seizure event if the target system is suspected to be using drive-encryption and acquisition of the password is suspect or impossible.

Computer forensics author Harlan Carvey mentioned in his post on this study that "...TechPathways provides a tool called ZeroView, which can reportedly be used to detect [whole disk encryption]."

While most will see this as mostly an "academic/forensics" issue, I think it bodes a warning against complacency by corporate and government end-users who might have encrypted devices and let their guard down a few notches.

If an end user say, places their encrypted laptop in a "sleep/hibernation" state (say hanging out at the airport getting ready to go through screening or in a conference setting during a break) and let their guard down thinking "it's encrypted, what's the worry?" the attacker could seize the laptop while still "hot" (although locked) and use these methods to latter attack it at their convenience.

As I mentioned in the post comments there, I'm not a forensics guy but I do find as a sysadmin that many of the principles and methods are useful to know from a "foundations" standpoint when I am assessing a response strategy for a malware/virus infection on one of our desktop systems. It also provides me a good perspective for what to do/not do when I encounter "material" on a system that might very well be handed off to our own internal investigations division so I don't accidentally compromise something in my initial response and assessment. Always good skills for anyone who deals with desktop support to have and be on the lookout for.

Case Study #3

I knew the LiveCD list has a number of Linux distributions that focus on workstation forensics.

These are disks that can "live boot" a target system and perform data inspection, case documentation, and other activities without touching the target system.

They should provide a wealth of good tools and activities for budding and experienced forensics experts alike to become familiar with.

Here are the project items that seem to still be (somewhat) actively maintained:

Plan-B- quoting from the developer - "Plan-B is a bootable Linux environment without the need for a hard drive, it runs entirely in ram or from the cd, based on a basic, stripped installation of Red Hat Linux and the fundamental workings of the SuperRescue CD. A list of tools and utilities are also included for projects such as: Forensics/Data Recovery, System/Network Analysis and Security Scanning, Temporary Network Device/Server, IDS / NIDS System, and Network Status Report Creation." - Security Tools, Forensics Tools, and Audit Tools.

Helix- quoting from the developer - "Helix is a customized distribution of the Knoppix Live Linux CD. Helix is more than just a bootable live CD. You can still boot into a customized Linux environment that includes customized linux kernels, excellent hardware detection and many applications dedicated to Incident Response and Forensics. Helix has been modified very carefully to NOT touch the host computer in any way and it is forensically sound. Helix wil not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics. Helix focuses on Incident Response & Forensics tools." - CD Contents

FIRE - Forensic and Incident Response Environment - quoting from the developer - "FIRE is a portable bootable cdrom based distribution with the goal of providing an immediate environment to perform forensic analysis, incident response, data recovery, virus scanning and vulnerability assessment. Also provides necessary tools for live forensics/analysis on win32, sparc solaris and x86 linux hosts just by mounting the cdrom and using trusted static binaries available in /statbins." - FIRE FAQ

FCCU GNU/Linux Forensic Boot CD - quoting from the developer - "This CD is based on KNOPPIX by Klauss Knopper. It is a remaster that I made to use at my work as a computer forensic investigator. Its main purpose is to create images copies of devices before analyse. It does not use a lot of cpu cycles for unnecessary programs, that is why it drops you to a shell right after the boot. It recognizes lots of hardware (Thanks to Klauss Knopper). It leaves the target devices unaltered (It does not use the swap partitions found on the devices). It contains a lot of tools with forensic purpose."

PLAC - Portable Linux Auditing CD - quoting from the developer - "PLAC is a business card sized bootable cdrom running linux. It has network auditing, disk recovery, and forensic analysis tools. ISO will be available and scripts to roll you own cd."

Case Study #4

It's important to be able to clearly and accurately document your case notes during your investigations. There are many commercial solutions on the market, and these may be intimidating for someone to consider using, both from a cost and complexity standpoint. Some of the LiveCD tools above do contain audit and documentation tools that can be used.

Just this week I became aware of two such case-note applications that can run on Windows:

Technology Pathways ProDiscover Basic Edition - (freeware) - "...a complete GUI based computer forensic software package. It includes the ability to image, preserve, analyze and report on evidence found on a computer disk drive. It is freeware and may be used and shared without charge." It comes in both a regular system install version as well as a portable USB U3 format installer .

QCC Information Security UK - Casenotes - (freeware) - "The purpose of CaseNotes is to provide a single lightweight application program to run on the Microsoft Windows platform to allow forensic analysts and examiners of any discipline to securely record their contemporaneous notes electronically." For more information download the PDF Quick Start Guide. The Program does require the Microsoft .NET framework to run. Note, you might get a registration page to complete before you reach the actual download page. If this happens, I found that you can just leave all the fields blank and enter the captcha code only, and it will let you pass to the download page.

And, just by coincidence, the SANS-ISC Handler's Diary reported that VMWare has a flaw that could lead to malware on a virtual system leaking out onto the host system via shared folders. (Never a good idea have enabled in my humble opinion).

In my previous post I mentioned that we have been hitting the iPods in our home pretty hard.

iTunes is loaded on the desktop system and this is the one we use to hold all our music/videos and manage the devices.

I've installed iTunes on the family laptops as well, but we only use those to listen to listen to streaming music. I haven't taken the time to figure out if/how to use it to play music from the iPods as they aren't "registered" to those laptops, just the desktop system.

At work it gets even better. I don't like working and listening to my iPod via headphones. The phone rings too often and people keep talking to me over the cubicle walls.

In the past I just hooked it up directly to a set of pc speakers/amplifier and played it like a hacked up boom-box. I don't want to install iTunes on my work machines.

I'm going to try out Floola - (freeware) - which is a feature backed amazement of goodness:

Floola is a freeware application to efficiently manage your iPod or your Motorola mobile phone (any model supporting iTunes). It's a standalone application that can be run directly from your iPod and needs no installation under Linux, Mac OS X and Windows (Windows Vista is supported).

Floola supports all common used iPod features including artwork, podcasts and smart playlists! It's also able to convert audio or video incompatible with the iPod so that you can copy almost any file to it. It even allows adding youtube and myspace videos just entering the page url!

DirList 1.1.0 - (freeware) - "This application allows to browse all connected disks like explorer and select folders and files for listing. Files can be listed by content too. Result listing can be saved to CSV file or as HTML with defined layout with preview."

Windows File Analyzer 1.0.0 - (freeware) - "This application decodes and analyzes some special files used by Windows OS. In these files is interesting information for forensic analysis. Every analysis results can be printed in user-friendly form. Here are described individual analyzers: Thumbnail Database Analyzer, This analyzer reads Thumbs.db file and displays its content with stored data include image preview. Prefetch Analyzer It reads files stored usually in Prefetch folder and digs out stored information. Shortcut Analyzer This tool reads all shortcut files in specified folder and displays data stored in them. Index.DAT Analyzer This analyzer reads specified Index.Dat file and displays its content. Index.Dat files store usually data of Internet Explorer cookies, temporary files or history. Recycle Bin Analyzer This analyzer decodes and displays Info2 files that hold recycle bin content information."

Windows Registry Recovery 1.3.2 - (freeware) - "This application allows to read files containing Windows 9x,NT,2K,XP,2K3 registry hives. It extracts many useful information about configuration and windows installation settings of host machine. Registry hive can be exported into REGEDIT4 format. Every topic data can be saved to CSV. Here are described individual explorers: File Information In this explorer you can see basic file properties and checksums. Security Record Explorer Displays all security records used in registry. Usage counter, owner SID, group SID, list of affected keys and list of SACL and DACL is displayed for every record with flags and permissions enumerated. This explorer is available only for NT based system registry hives. SAM Displays Machine SID and part of SYSKEY. Enumerates local user and group accounts and some of their properties. This explorer is available only for NT based system registry SAM hive. Windows Installation Displays Windows name, ID and key, install date and user registration info. Enumerates installed software with descriptions and install date and list of installed hotfixes with description. This explorer is available only SOFTWARE registry hive (Product ID and key are extracted in SYSTEM hive too). Control Set Displays all configured devices that worked on host machine. They are displayed in "like Device Manager" tree with some properties. This explorer is available for SYSTEM registry hive. User Data Displays user and machine name and tree based Start menu for selected USER hive. This explorer is available for USER registry hive. Startup Applications Enumerates applications that are registered to be run after startup. This explorer is available for SOFTWARE registry hive. Services and Drivers Enumerates all installed services and drivers with properties. This explorer is available only for NT based system registry SYSTEM hive. Network Configuration Displays all installed network clients, protocols and services. Enumerates all defined network connections with its TCP/IP configuration. This explorer is available only for NT based system registry SYSTEM hive. Environment Displays all environment variables. This explorer is available only for NT based system registry SYSTEM hive. Shell FoldersDisplays shell folders (folders known to system). This explorer is available only for NT based system registry SYSTEM hive. Raw Data This explorer displays whole registry in known tree format. Contains powerful searching and data interpreter."

Network Meter 1.0.0 - (freeware) - "This application scans for network interfaces and adapters installed in system and their monitoring. Detailed info for every interface is provided. Every interface monitor has simple statistics view and graphic display with time history."

Network Scanner 1.0.0 - (freeware) - "It is a free multi-threaded IP, NetBIOS and SNMP scanner with many advanced features. It is intended for both system administrators and general users who are interested in computer security. The program performs ping sweep, scans for opened TCP and UDP ports, resource shares and services. For devices with SNMP capability available interfaces are detected and basic properties displayed. In addition you have to edit results, save/load results to/from CSV and print network device list. It can also resolve host names and auto-detect your local IP range."

EXE Explorer 1.0.0 - (freeware) - "...based on MiTeC Portable Executable Reader. It reads and displays executable file properties and structure. It is compatible with PE32 (Portable Executable), PE32+ (64bit), NE (Windows 3.x New Executable) and VxD (Windows 9x Virtual Device Driver) file types. .NET executables are supported too. It enumerates introduced classes, used units and forms for files compiled by Borland compilers. It contains powerful Resource Viewer that is able to analyze and display al basic resource types and some extra ones as JPEG, AVI, REGISTRY. It contains excellent Type Library viewer that enumerates all objects and creates import interface unit in Object Pascal language. Every type of resource can be saved to file. EXE Explorer produces text report with all important information about selected file. Searching capability is also available. It searches all resources that can be interpreted as text.

InfoDesk - (freeware) - Don't let the Czech language fool you. An English translation is build into the download application. Info desk provide a really nice micro-toolbar. Displayed is the system up-time, CPU utilization rate, Memory utilization rate, a calendar/reminder, and a clock. However the real "juice" to this tool lies on the right-click menu. Right-click on the bar and you will be able to quick-launch up to three custom applications, a calculator, a calendar, the Windows Explorer, a notepad, the clipboard history, the event viewer, system information, a Net meter, a CLI console window, a notepad, a Coder Tools utility, and the CPU monitor. Really handy things!

Spyware Terminator - (freeware) - is a good scanner. It does add a service to your system, however, which I tend to not like for "portability" reasons. The use of a "whitelist" to help prevent false-positives and speed scans is a nice touch. It is gaining in popularity.

However, I find that I am turning to two relatively new freeware products for my anti-malware scanning needs. Both are very full featured, provide frequent updates, and seem to do very thorough scans.

SUPERAntiSpyware - (freeware) - Handles minimal, full, and custom scan configurations, full detection and removal of malware, keyloggers, trojans, rootkits, and other baddies, doesn't use much memory, able to repair damaged internet connections (LSP), real-time protection is supported, and can run micro scans at system bootup and/or shutdown. The interface is nice and it is easy to view and review scan findings and elements.

Malwarebytes' Anti-Malware - (freeware) - I really like this one as well. Developed by the "RougeRemover" crew, this very new product is a very amazing product. It is being updated frequently. Quick and full scans are available, real-time protection available in the "paid" version, items can be quarantined for safety before final deletion from the system (just in case something breaks), generated logs are very good in detail, you can set ignore lists, and as an added bonus, FileASSASSIN has been incorporated with the program to delete "locked" files.

My search for a workable solution for putting on of our personally purchased DVD's onto an iPod began with Alvis's Christmas gift of a new iPod nano.

Up to this point we have had only shuffles and a Classic iPod so video playback has never been an issue.

However, with the new nano, came Alvis's desire to place one of her favorite movies on the nano.

I had experimented with the process of making a DVD to DVD duplicate before and it was very successful.

But this was new material for me.

There are lots of different options and software choices available to do this, and everyone has their own favorites.

So this is the combination found which worked very easily for me, almost too easy.

Step One - Rip the DVD

I have tried various free DVD ripping programs. However the one that I am using now and works best is DVDFab HD Decrypter. It is free, has a great GUI interface, and seems to work great on the handful of DVD's I've tossed at it.

Launch the program after you have installed it.

Insert a DVD.

Click "Start" to copy the DVD contents (the Video_TS folder) to a specified location on your hard drive (make sure you have the space).

Rip times do vary, but generally take around 15-20 minutes or less depending on the disk size.

When completed you should have a local copy of the video's Video_TS folder on your system.

In the "Source" section, browse to the location of the Video_TS folder you saved the DVD rip to.

Set your Destination source to place the file you will create.

On the right-hand side under "Presets" select the iPod "low rez" option. (You can try others, but this seems to work best for the nano's).

Punch the "Encode Video" button and the bottom.

A command-line window will appear and the re-encoding will begin.

Note: Go out and relax, do some errands, watch a movie. Do something. This recoding process will usually take up to an hour or two to complete, depending on the speed of your system. It something just takes a long time to do.

Put it in iTunes

When the conversion process is done, just simply drag the file you created and drop in into iTunes. Then you can add it to your nano (or whatever).

The few that I have done have resulted in very good quality conversions and the video/audio sync is almost always flawless...something that other applications and methods have trouble with.

Disclaimer

I ONLY rip our own personal DVD's and realize copying it onto my Apple device could be seen as a copyright usage problem. I like many others believe that porting a movie (or CD I own) onto a device I also own so that I can enjoy the movie on multiple devices is well within the intent of "fair use" laws.

I DON'T rip movies I rent or borrow. I DON'T share these files with ANYONE outside of Lavie and Alvis's nanos. I DON'T upload or offer them for sharing on the Net. I run quite a few security layers and DON'T keep the original rip files in a shared folder in our network.

I DO strongly recommend you to use these applications appropriately and within the parameters of copyright law and your country/local laws. I am most assuredly not a lawyer and the laws regarding "fair usage" seem to be changing on a daily basis.

As my regular readers may remember, I have Firefox loaded up on multiple systems at our home; on the main desktop system as well as both laptops.

Generally I still keep them all "sync'ed" by exporting the bookmarks file to a USB stick and "importing" it back to the system I am using. I'm usually able to keep it all straight in my mind and the girls don't use bookmarks much at all, so I haven't overwritten anyone (well, not that I know of).

Last weekend, I did a MAJOR cleanup and reorganization of my bookmarks/folders in Minefield (Firefox 3.0 nightlies). I've been using Minefield/Firefox 3.0 as my primary Firefox browser now that most all of the bugs in Places (the bookmarking system) have been worked out. I REALLY like Firefox 3.0 now. Wowzers. Page rendering is awesome.

Only when I went to do my usual plan of importing the bookmarks from the Vista laptop Minefield build into the desktop Minefield build, it completely blew out Places/bookmarking on my desktop system. Weird.

I eventually was able to finally get it semi-working, but ended up completely blowing away my previous installation of Minefield and my Minefield associated user profile. I rebuilt it from scratch.

Once you do this, you may need to use and run the Nightly Tester Tools Add-on to force compatibility on some of the extensions. You may still see some warnings on associated Add-ons, but they should still work as intended.

I understand it. I agree with it. I still want a method to pass through to a blocked site (even if it must first be enabled in about:config to keep average users away from it) without having to disable the "suspected attack site" option in it's entirety.

(By the way, ScanWith.com is now no longer being blocked in Firefox 3 any more. Mischief managed?)

I haven't see this become more of a pubic issue yet, but I think it very well might at more users move to Firefox 3 and encounter the behavior.

Techworld picked it up and determined that the Firebug add-on is the only one of 27 Mozilla "Recommended Add-ons" that is being blocked by Firefox 3.0 at this time.

I've been crashing Firefox (Minefield) a lot more often lately than used to.

I suspect it is something to do with NewsFox and Minefield. Seems that it is safest to just let Newsfox run in the background and keep running by itself until all the new feeds have been identified. If I switch to a new tab and continue browsing, sometimes I crash Minefield.

I also had to reapply many of my NewsFox tweaks in my new Minefield profile. However the latest version of NewsFox brings many of the options into the GUI Options settings in NewsFox so fewer about:config tweaks are required.

I mention this as I am now seeing the new Mozilla crash-reporting tool. As a good Firefox citizen I make it a habit of sending on the crash data to Mozilla. Way I see it, this is my little way of maybe helping out the development and fine-tuning of an awesome product.

One lesson I learned through this experience is how to correctly back up and restore my Places bookmarks as well as my NewsFox feed list.

Minefield (Firefox 3) actually has two ways to manage the bookmarks.

On the menu bar to go "Bookmarks" > "Show All Bookmarks"

This will bring up the boomarks/Places management window called "Library".

Notice the "Import and Backup" menu-bar item.

The "Import" and "Export" options allow to you bring a html formatted bookmark file into your current bookmark structure. Exporting sends your bookmarks out in a html formatted file. This is useful if you wish to use them in another browser or application.

The real power-toys come in with the second set of options; "Backup" and "Restore".

Use the "Backup" option to create a snap-shot record of your entire Places/bookmark structure. It will be saved (by default) with the current date in the filename.

If you ever want to revert your Firefox 3.0 bookmarks completely to a prior version, then use the "Restore" feature and point to the location where you saved this manual backup. (Note: Firefox also seems to perform automatic bookmark library backups as well and you could use one of these also.)

What the restore does is to replace ALL the current bookmarks with the backup set. It is a complete swap, so you don't have to do any rearranging and deleting of the old ones for the new ones like you would if you used the "Import" feature.

Darn handy!

So now, in my case as I move the bookmarks file between various systems, I always use the "Backup" and "Restore" options from within Firefox 3 instead of manually copying/pasting the profile's bookmark .html file(s). That is what got me into trouble I believe with one of the newest nightly releases and led to my rebuild of Minefield/profile.

In contrast, making and restoring a backup copy of your NewsFox feeds couldn't be simpler.

Click the little gear looking icon to display the options for NewsFox.

To restore, just choose the "Import OMPL" > "Start Fresh" > "from file". Browse to where your exported OMPL file is and bring it back in.

Using this method you get a full and clean replace of your NewsFox feeds.

Sweet.

NoScript and YouTube (and then some).

I'm a BIG fan of the Firefox Add-on NoScript. It blocks all JavaScript and other XXS attacks. Then you can enable scripts on a targeted basis permanently or temporarily depending on your needs. I'm not comfortable doing any browsing without them.

However, I noticed that in Minefield I wasn't able to see any embedded YouTube videos on any websites. No matter what I enabled and allowed in NoScript.

I finally got it solved. Here's how.

I read through all the NoScript release threads in MozillaZine Forums for previous NoScript versions and up to through the current one.

I found the tip about adding "ytimg.com" to the NoScript whitelist and put that in (YouTube scripts now do a call to that web-domain so it must be allowed). Restarted. Nope. YouTube videos still not appearing. Yes, Flash was at the latest version.

I also tried toggling the noscript.forbidActiveContentParentTrustCheck about:config preference to false as found as a suggesting.

Still nothing.

So I disabled NoScript entirely in my Add-ons. Restarted Minefield. Still not getting them.

So I closed out Minefield and popped over to my parallel Firefox 2.0.0.12 build which has an almost identical setup of extensions/settings. YouTube videos displayed just fine. NoScript settings were identical between the Minefield and Firefox 2.x.

At this point I began thinking that maybe NoScript wasn't responsible for the issue I was seeing after all.

So I went back to Minefield and started considering the extensions I have installed (some not yet "officially" supporting Minefield).

The only one I could find that might have an impact was Adblock. So I disabled it. Restarted Minefield. Nope.

Then I uninstalled it completely.

Voilla! YouTubes videos were displaying in pages correctly again!

Hurrah!

I ended up switching to Adblock Plus instead (which is way better anyway) in Minefield/Firefox 3 and (along with NoScript) everything is working great and the YouTube embeds are working as well.

My fault for "tweaking" unsupported extensions to work with Minefield. In most cases I've gotten away fine with it, but this time.....

So if anyone else has read all the tips and still can't get YouTube videos to display in Minefield/Firefox 3, AND is running NoScript (and has added ytimg.com to the whitelist), AND has installed the Adblock add-on, well, try uninstalling Adblock and switching to Adblock Plus.

You can use this utility to visually inspect, create, design and edit database files compatible with SQLite. You can also import and export records which is really useful when you are working with the information located in the Mozilla database files.

It uses a single exe file and is just over 2.41 MB in size. Very portable. I like the very simple interface. Not very complicated and very easy to use to browse SQLite database files.

SQLite Spy

So while I was working on another post, I happened across this utility.

SQLiteSpy [Delphi Inspiration] - (free for personal/educational use) - This application uses a very handy treeview. I find this much easier to help me understand the structure. Editing is supported and different data types are displayed with different background coloring. Full Unicode support. Tab-based views for displaying multiple SQL queries and database elements. There are lots of data and file compression options as well as encryption support. The SQLite engine is built into the single exe file.

No install is required. Download and unzip. The exe file comes in at a light 1.8 MB filesize. No registry writes. Options are kept in a self-generated .db3 file in the application's folder when launched. Nicely portable.

SQLite Administrator

That one led me to this one.

SQLite Administrator - (free for private use) - This utility has the treeview pane that I like so much, as well as a very GUI image-rich interface. Like the others, this utility allows for creation, editing, and deletion of tables, indices, views and triggers. However, it brings to the table some nice wizard based helps for these actions. It supports SQL code highlighting and error location. You can import data from CSV files and export data in XLS/CSV/HTML/XML formats. Internal query storage is possible. Images may be stored in Blob fields.

It appears to be a very full-featured utility for working with SQLite files.

Like the others, this one does not require installation. Download the zip file and decompress. Application folder size is much larger than the others, coming in at just over 4.53 MB. If you delete all the language file except for the single one you need, you can drop it down to 4.35 MB. Not that big a difference. Aside from the language file(s), there is the main exe file and two supporting dll files. Although it is larger, it is also remains portable.

So, regardless if you need one of these utilities to quickly and freely manage and view the Mozilla .sqlite files, or do more extensive SQLite database work, there a more options and all are small, fast, and portable.

Unfortunately, my database work is in the realm of Microsoft Access. As such, beside using these tools to inspect and export data, I can't effectively evaluate their real power and functionality with SQLite database work.

If anyone can provide more rounded comments on any of these products' features, please feel free to leave a comment.

Friday, February 15, 2008

One of the features I have always enjoyed with Chron.com TechBlog and other blog sites is being able to see recent comments up front. In fact, the TechBlog is one of the few places where I actually subscribe to the comments feed along with the main posts.

I have now added a sidebar element to the GSD blog which meets this need. Scroll down a bit and you should see it along with (at this time) comments from Fird, TxGoodie, Jim and Therion Ravenwing. (Thanks all!) I feel really fortunate that there are such kind and warm folks who take the time to leave a comment over here.

I think providing recent comments on your main page can work to to illustrate to new visitors that a blog has a good community behind it; "street-cred" if you will. And faithful readers can quickly catch up on older posts that are still generating interest.

In addition, some of the threads generated in the comments can become a story unto itself, often surpassing the original blog post in information and detail. I almost always take the time to look for comments on a post I am reading to see what the "vibe" is and if there is any supplemental information provided by readers.

If you are a regular blog reader and are feeding the main page, or dropping in to it directly, you almost always miss the comments. Unless you click on the main post, proper, you might never see them.

And, there is always something rewarding and fun when you are able to view your comments along with your name. And it seems like a fine way to thank your faithful commentors.

Unfortunately, Blogger doesn't have a "ready" widget to use to add recent comments to your layout.

So I went looking.

Blogger Buster "Customize Recent Comments Widget"

This was the first site/solution I located.

Blogger Buster is a fantastic resource for folks looking to understand and enhance their Blogger blogs. Lots of templates, quite a few tools, and a notebook full of tips. Great site to bookmark for all you Blogger/Blogspot fans out there.

Decide if you want to show comments and post title, and how many characters of the comment.

Apply and add the Widget to your blog.

Done.

I tried it and almost worked great.

For some reason it wasn't formatting the Grand Stream Dreams comment feed correctly in the code. Once I inspected the code and found the errors, I was able to fix them and it worked and looked very nice.

However there was one drawback. It works off a .js (JavaScript) file located on the Blogger Buster servers. That's not a problem in-of-itself, but there are some web users (and site administrators) who don't like that for security reasons. I'm not saying that there are any problems with this one, but if the remote server were to be compromised (or simply go off-line) and the code was compromised, then that compromise gets spread across all the endpoint blogs using it.

So while I can say the Blogger Buster widget works great, that might be a concern for some folks.

I did like the JavaScript solution, but wanted a way I could maintain some control over it (not that I am a JavaScript coder or anything) to ensure I could always inspect it and was "hosting" it myself.

Another simply amazing website filled to the brim with tips, tricks, templates, widgets, javascript and all kinds of other goodies for Blogger users. bizwhiz's detail in going over code elements, how things work together, and why some solutions are better than others is simply invaluable for beginners and pros alike. Highly recommended website.

Anyway, in this post, bizwhiz first illustrates how to turn on Comment feeds for your Blogger blog.

Next is a discussion on JavaScript and the fact that some folks don't like it due to security concerns. I was impressed to see this discussion addressed.

Instead of giving you a pre-formatted .js code to link to in your widget, bizwhiz provide you the code directly. You can inspect it, review it and decide what you think.

If you like it (which I do) using it is very, very simple.

Log into your Blogger Dashboard and go to the Layout section. Go into the "Page Elements" and select "Add a Page Element".

In the list of items, find the "HTML/JavaScript" widget and add that.

Copy the JavaScript code from the blog-post and paste it into the widget's text-box field.

Adjust the comment.length and comment.substring values up or down from the default value of "100" if you wish. (Just make sure they match). It's pretty clear in the post where these are located.

If you want more than 5 comments to appear, adjust the variable that controls that in the top of the code.

I got outside in the beautiful outdoors, pulled all the weeds in the backyard. Then had the fortitude to go ahead and do the season's first grass-cutting.

I broke the lawn-mower by ripping the starter pull-cord completely out of the engine. (I didn't know my own strength!) I couldn't stop for breaks because if I cut it off, I might not be able to get it repaired and get going again.

Then once the yard was mowed in a single effort, I fixed the lawnmower. Handy guy that I am, better than before.

Then I re-cleaned the kitchen and vacuumed the house.

Then I hauled Alvis out of the house with me. We went and picked up some Baskin Robbins ice-cream, and stopped by McD's to bring the family dinner home. I have been burning some major calories today and didn't feel guilty in the least.

Superman ain't got nothing on me!

Now I've got one last post to make, so hold on tight. I'm tired and looking for bed!

Sysinternals Spectaculars

AutoRuns for Windows - (freeware) - Updated to v9.12. Not sure what got fixed in this one. No post update yet to explain the update. Change notes for the very recent v9.10 and v9.11 indicate work done to add a command-line output to XML as well as the ability to display the MD5, SHA1, and SHA256 hashes of auto-start items to more precisely identify files, especially for forensics.

The Case of the Unexplained…Live! - (SilverLight Webcast) - Mark Russinovich does a presentation on how to use his Sysinternals tools and advanced techniques to troubleshoot Windows issues.

Mark's Blog : Inside Vista SP1 File Copy Improvements - (post) - Mark goes deep into the inner workings and functions of the Vista SP1 file-copy improvements. Really awesome look at how file-copy works and how it was improved. Very interesting blog-post. Highly technical but very good.

The Future of Microsoft Backwards Compatibility?

Peek into the future of legacy compatibility in Windows - (post) - Long Zheng provides a very interesting look at how Microsoft might address legacy Windows operating system compatibility as it moves to its next OS release. This is one of the reasons Microsoft's OS are so large and bloated; legacy support. Microsoft fans expect to be able to run older applications on newer OS's.

The solution? At least according to Long's post, loading older OS binaries in a virtualized environment.

Need to run an XP application on Windows 9? It would detect the application's level, load the binaries needed and a XP>Win9 compatibility module.

Very interesting take.

NirSoft's Utility Watch

Nir Sofer has been hard at work updating old utilities and releasing new ones!

USBDeview - (freeware) - View all installed/connected USB devices on your system that have been previously connected to the system. Also uninstall USB devices no longer used an disconnect ones that are still connected. Version 1.15 released this past week allows the option to disable/enable selected USB devices, as well as to start this application in a "hidden" mode.

FileTypesMan - (freeware) - Alternative to "File Types" tab in the Folder Options window of Windows. "It displays the list of all file extensions and types registered on your computer. For each file type, the following information is displayed: Type Name, Description, MIME Type, Perceived Type, Flags, Browser Flags, and more. FileTypesMan also allows you to easily edit the properties and flags of each file type, as well as it allows you to add, edit, and remove actions in a file type." Runs on Win98 - Vista. Handy little app when working with file association problems or customizations.

ProduKey - (freeware) - My favorite keyfinding application for Windows. And one I can't use at work as Symantec keeps alerting on it as a "potentially unwanted application (PUA)". Grrrr. The network analysts don't even bother to tease me about it anymore when my laptop at work shows up on the weekly virus reports. Recover lost product key (CD-Key) of Windows/MS-Office/SQL Server installed on your computer. Version 1.20 now allows you to load the product keys from a remote computer or from an external (or target) drive. Really handy!

TrueCrypt 5.0 has been released. Among the new features are the ability to encrypt a system partition or entire system drive (i.e. a drive where Windows is installed) with pre-boot authentication, pipelined operations increasing read/write speed by up to 100%, Mac OS X version, graphical interface for the Linux version, XTS mode, SHA-512, and more.

After four years of development, during which millions of people downloaded a copy of TrueCrypt, it is the only open-source disk encryption software that runs on Windows, Mac OS X, and Linux. The newly implemented ability to encrypt system partitions and system drives provides the highest level of security and privacy, as all files, including any temporary files that Windows and applications create on system drives (typically, without the user's knowledge or consent), swap files, etc., are permanently encrypted. Large amounts of potentially sensitive data that Windows records, such as the names and locations of files opened by the user, applications that the user runs, etc., are always permanently encrypted as well.

System Encryption

TrueCrypt can on-the-fly encrypt a system partition or entire system drive, i.e. a partition or drive where Windows is installed and from which it boots.

System encryption provides the highest level of security and privacy, because all files, including any temporary files that Windows and applications create on the system partition (typically, without your knowledge or consent), swap files, etc., are permanently encrypted. Windows also records large amounts of potentially sensitive data, such as the names and locations of files you open, applications you run, etc. All such log files and registry entries are always permanently encrypted as well.

System encryption involves pre-boot authentication, which means that anyone who wants to gain access and use the encrypted system, read and write files stored on the system drive, etc., will need to enter the correct password each time before Windows boots (starts). Pre-boot authentication is handled by the TrueCrypt Boot Loader, which resides in the first cylinder of the boot drive.

Note that TrueCrypt can encrypt an existing unencrypted system partition/drive in-place while the operating system is running (while the system is being encrypted, you can use your computer as usual without any restrictions). Likewise, a TrueCrypt-encrypted system partition/drive can be decrypted in-place while the operating system is running. You can interrupt the process of encryption or decryption anytime, leave the partition/drive partially unencrypted, restart or shut down the computer, and then resume the process, which will continue from the point it was stopped.

To encrypt a system partition or entire system drive, select System > Encrypt System Partition/Drive and then follow the instructions of the wizard. To decrypt a system partition/drive, select System > Permanently Decrypt System Partition/Drive.

If you use TrueCrypt on your system (notebooks, desktops, portable drives) you can select the option to encrypt a partition or the entire drive. Additionally, the encryption authentication occurs pre-boot. So that if you loose your laptop, but it was shut down, NOBODY can access the data on the drive, even if they remove the drive and place it as a slave on another system, or use a "Live" boot-cd. On top of this, it is able to encrypt/decrypt in place while the system is running, restarted, or shutting down. It will pick up where it left off when the system is restarted until the drive/partition encryption is completed. Wow.

While there are a number of very good commercial products on the market, that support file and disk encryption security, TrueCrypt has one extra amazing thing.

It's Open-Source and free!

If you have a laptop and keep any amount of critical and sensitive data on it, not just yours but say, that of your employees, then you need to keep it encrypted. Be it the files, a secure encrypted "virtual folder" that TrueCrypt can handle, or the entire drive. You simply must. People are counting on you to keep their information safe. It just takes a moment to loose your data to someone else, and possibly a lifetime to restore a stolen identity.

I really liked Comodo's v3.0 firewall. Free Vista Firewalls: And then there were five. However it the issues with preventing Vista updates caused me to return to the built-in Microsoft Firewall for Vista for now. However, I think I am going to give Comodo one last chance.

Version 3.0.16.295 released this week makes some major changes on top of the fixes in version 3.0.15.227 which resolved the Vista updates bug.

NEW! Anti-Leak Configuration:- A new default configuration is introduced to make D+ show fewer number of popup alerts while still remaning leak proof.

NEW! On-Demand Virus Scanning:- CFP now provides an option to scan for viruses during the installation and from its graphical user interface

NEW! A-VSMART Warranty Program:- CFP now provides the users an option to enroll one of the available A-VSMART Warranty programs

IMPROVED! Self-Defense:- There has been various reports that CFP 3.0 is attacked by some malware to disable its protection.The self defense has been modified such that an ungraceful termination of CFP will block every unknown action (i.e. it will function as if "Block all unknown actions if the application is closed" option is selected. This option was not enabled by default).

IMPROVED! Handling of known code executing applications:- Defense+ has been modified such that some known code executing programs such as rundll32.exe or windows scripting host are not autimatically trusted anymore.

IMPROVED! Pending Files:- Defense+ has been modified such that it is not going to report any pending files if it is not in clean PC mode.

FIXED! Bugs in Defense+ Engine:- Fixed numerous bugs that could stop Defense+ to properly handle the suspicious actions(e.g.bugs in registry and file protection, key logging etc).- Fixed the bug that could prevent CFP from functioning properly in certain types of hardware configurations(e.g. when a USB harddisk is present etc.).

FIXED! Minor Bugs in the Graphical User Interface

[IN]SECURE Magazine - February 2008

Issue 15 - (free download) is now out on the Webstands.

Topics include:

Proactive analysis of malware genes holds the key to network security

Advanced social engineering and human exploitation

Free visualization tools for security analysis and network monitoring

Internet terrorist: does such a thing really exist?

Weaknesses and protection of your wireless network

Fraud mitigation and biometrics following Sarbanes-Oxley

Application security matters: deploying enterprise software securely

The insider threat: hype vs. reality

How B2B gateways affect corporate information security

Reputation attacks, a little known Internet threat

Data protection and identity management

The good, the bad and the ugly of protecting data in a retail environment

Malware experts speak: F-Secure, Sophos, Trend Micro

AND MORE!

I always enjoy reading this security webzine. The articles are fresh and insightful and cover a wide range of computer security related issues.

Security guru Didier Stevens has contributed an article in this issue showing how rainbow tables may be used to more effectively steganographically hide larger sized volumes of data than in image files. Really fascinating stuff!

Rogue Anti-Malware Products Run Rampant!

Be very, very careful on the choices you make downloading anti-malware products. It seems like every day a new "rogue" product hits the webs. Do your research carefully before going with a new product.

Looks can be deceiving. Many look very polished and professional, yet provide only false-positives and heartbreak as they demand $ to register the program to remove the (false) threats, or even worse, actually infect your system worse than before!

ReadyBoost is a solution in Vista that allows for certain cached items to be placed on a USB stick rather than on the hard-disk. This (theoretically) offers faster system performance.

I've found that more system RAM works even better. Since upgrading my Vista laptop from 1GB of system RAM to the 2GB max it can handle, its like I have a whole new machine. Vista flies! We ordered up Dad's new Vista machine with 4GB RAM and it simply rocks the casbah!

However, some XP users feel forgotten and since Microsoft doesn't offer a ReadyBoost solution, leave it to third-party software vendors to come to the rescue.

eBoostr - (free/$) - Note, the free version only works for four-hours after each system reboot. So unless you are willing to reboot periodically, you will have to pony up some cash to speed up your cache!

miniMIZE - (freeware) - This is a tiny utility that triggers when you minimize an application window. Instead of just removing it from your desktop and sending it to the Task Bar, it actually places a thumbnail image on your desktop. Clever!

Screenshot - note that the windows are very small and for reference see the system tray icons in the bottom corner.

Still in beta, and may have some bugs, especially in hotkey handling. Use with a bit of caution.

However it could be quite handy, especially in a multi-monitor environment.

However, it seems that this release is the same version that came out under Vista SP1 RC Refresh 2.

There are lots of ways to get it if you dare (I don't, I'll be patient and wait for the "official" release), including torrents or registry hacks which get it flowing directly from Microsoft. I'm not going to post links to these, but you should be able to search them up quickly if you really want it that badly.

Also, to all those VistaPE WinBuilder fans out there, no you cannot use this new WAIK version to build your own VistaPE SP1 boot CD. Not yet at least.

I tried and got a marvelous BSOD at Vista boot when using VistaPE builder v011, although GRUB4DOS worked flawlessly.

I contacted NightMan who verified WAIK Vista SP1 version is not supported, yet.

It will be in VistaPE builder v012.

So unless you are building bare WinPE 2.0 disks, or have the need for this in your enterprise environment, stay away for now. Otherwise, you VistaPE builders out there, wait a bit longer for the v012 release then jump over and you'll have VistaPE SP1 running beautifully!

ImagexGUI Updated

If you know what ImageX is, then you might be interested to know there is a new release of ImageX GUI.

FireEncrypter - (Mozilla Add-on) - Fresh from my mad foray into the world of ROT13 and RC4 wackiness, I found this nice little extension that allows you to quickly and easily run encryption hashes for many common encryption schemes.

Not an everyday tool, but a nice friendly introduction into the world of encryption and decryption.

ESET is a Slovakian computer security company that has a global customer base. One of their most noted mainstream products is their anti-virus product NOD32. They also provide firewall, antispyware, and anti-spam solutions. They also offer a free online scanning service: ESET Online Scanner.

So being familiar with their security-minded model, I was intrigued what this new product could bring to the table.

SysInspector - Not What you Think

SysInspector - (beta - freeware) - is a single-file executable download. It is supported on Microsoft Vista/XP/2003/200 in a 32-bit version. A 64-bit version is also available for all these systems (except 2000).

Having the program contained in a single executable is a nice feature. This means it should be easily portable on USB drives, and might (yet untested) even work off a CD/DVD-ROM disk. This should make use of the utility handy when sysadmins and desktop responders need to assess a running system and don't want to download the tool from Net.

Once launched, the program begins an immediate scan of the system it is running on. Depending on the hardware and software of the system, time-to-application window display may take anywhere from under a minute to several minutes.

At the top-right is a menu-bar. Here you can select "File", "Tree", "List", or "Help" options.

The File list allows to to open or save logs from your scans, generate reports formatted for sending in email or for personal (local) review, the ability to filter results by risk-level, change the report view detail level from Full to Basic, and you can exit the program from here.

The Tree list simply allows you to quickly expand or collapse the item tree view on the left-hand side of the main window. There is lots of data here so generally I find it helpful to leave it compressed and manually expand the element items as I examine them. Otherwise it is information overload!

The List options provide navigational aids, history, show parents and nodes of tree items, copy items to clipboard, perform an online search, jump to the item location (file), and jump to the item location (registry).

The Help option allows you a well filled (for a beta product) help guide to the product. It also links to ESET's online scanner, and has the "About" this program details.

The Tool Bar

I'm calling the second line down a "tool bar" but there aren't tools or icons in it in the normal sense.

You can select the detail level again here (Full, Medium, Basic), set the item threat-filtering level using a color-coded slider bar from Fine (green will display all items) to Risky (only will display high-risk rated items). Lastly, there is a search form where you can search scan results for particular items.

The Left Tree Window

On the left hand side is a window that displays the following scanned areas:

Once a node is expanded, the items show up in the top-right window pane. Here you can examine each item in more detail. Right-clicking an item provides the navigation items or web-search options.

Clicking on an item in the that pane provide a highly detailed breakdown of the item in the bottom-right pane. You may scroll this section and if you need to, you may right-click to save the information to the clipboard.

Different nodes provide different information. For the most part, the column heading are the same.

All items have a "risk-status" rating, as previously mentioned.

Thoughts

The program runs very quickly and provides an expansive overview of a system. ESET has done well to focus on the major problem points a system might have, and the tool should be well used by desktop support staff.

While I am not sure what internal methodology ESET has programmed their application to use, it allows a system responder to quickly sort through lots of information and focus on the "high-risk" hits that were found during the scan.

It does not remove malware. It does not flag virus or malware. I didn't find the application has the ability to even kill or terminate processes, or change registry values. This isn't the type of tool it is.

Rather, SysInspector is a first-response assessment tool, used to help skilled support staff quickly identify points of interest on a system. Using this information, the responder may be able to plan a more targeted approach to dealing with the results. This isn't a tool for the casual or home-user attempting to fight malware.

ESET SysInspector is an application that thoroughly inspects your computer and displays gathered data in comprehensive way. Information like installed drivers and applications, network connections or important registry entries can help you to investigate suspicious system behavior be it due to software or hardware incompatibility or malware infection.

Nor does there currently appear to be any documentation on how ESET calculates the various threat level ratings it gives. I'm sure there is some kind of file entropy calculation going on. But I can't be sure.

ESET's building of reports and clipboard supported information captures is great. Being able to export information for later review, off-system is a valuable feature.

SysInspector is a tool to quickly scan and assess very complex operating systems and the processes and files they contain. From there, response is left up to the skills and training of the responder.

This product is currently in "beta" status. No word if this version has a time-bomb or not. Nor is it clear if this will be a free security product ESET offers to the security and sysadmin community or if it will later require $ to use.

Either way, having a fast, small, and single executable system assessment utility is a good thing. ESET has done their homework and I can only expect good things and improvements as this tool makes its way out of the beta process.

Credits

Why this? It is the simple blog of a Last Exile fan and is intended to express the enjoyment we derive from studio Gonzo's production. Although we closely relate with those characters, we aren't them in real life. We just want to keep the memory of these incredible young kids alive. So go buy Gonzo's Last Exile DVD's!